Vulnerability CVE-2017-14496


Published: 2017-10-02   Modified: 2017-10-03

Description:
Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Dnsmasq < 2.78 Integer Underflow
Multiple
03.10.2017

Type:

CWE-191

(Integer Underflow (Wrap or Wraparound))

Vendor: Debian
Product: Debian linux 
Version:
9.0
7.1
7.0
Vendor: Google
Product: Android 
Version:
8.0
7.1.2
7.1.1
7.0
6.0.1
6.0
5.1.1
5.0.2
4.4.4
Vendor: Redhat
Product: Enterprise linux server 
Version: 7.0;
Product: Enterprise linux desktop 
Version: 7.0;
Product: Enterprise linux workstation 
Version: 7.0;
Vendor: Novell
Product: LEAP 
Version: 42.3; 42.2;
Vendor: Thekelleys
Product: Dnsmasq 
Version: 2.77;
Vendor: Canonical
Product: Ubuntu linux 
Version:
17.04
16.04
14.04

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html
http://nvidia.custhelp.com/app/answers/detail/a_id/4561
http://thekelleys.org.uk/dnsmasq/CHANGELOG
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txt
http://www.debian.org/security/2017/dsa-3989
http://www.securityfocus.com/bid/101085
http://www.securityfocus.com/bid/101977
http://www.securitytracker.com/id/1039474
http://www.ubuntu.com/usn/USN-3430-1
http://www.ubuntu.com/usn/USN-3430-2
https://access.redhat.com/errata/RHSA-2017:2836
https://access.redhat.com/security/vulnerabilities/3199382
https://cert-portal.siemens.com/productcert/pdf/ssa-689071.pdf
https://security.gentoo.org/glsa/201710-27
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
https://source.android.com/security/bulletin/2017-10-01
https://www.exploit-db.com/exploits/42946/
https://www.kb.cert.org/vuls/id/973527
https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg11664.html
https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg11665.html
https://www.synology.com/support/security/Synology_SA_17_59_Dnsmasq

Related CVE
CVE-2019-12436
Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to an AD DC LDAP server Denial of Service. This is related to an attacker using the paged search control. The attacker must have directory read access in order to attempt an exploit.
CVE-2019-11479
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial ...
CVE-2019-11478
Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denia...
CVE-2019-11477
Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This ha...
CVE-2019-0196
A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request ...
CVE-2019-0220
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions...
CVE-2019-12749
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference ...
CVE-2019-11596
In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.

Copyright 2019, cxsecurity.com

 

Back to Top